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On page 4, delete paragraph f00311 and replace with the following paragraph: 

[0031] Figure 17A is first portion of a policy scorecard. Figure 17B is second 
portion of a policy scorecard. Figure 17C is third portion of a policy scorecard. Figure 17D 



t 


On page 4, delete paragraph [0034] and replace with the following paragraph: 






[0034] Figure 20A is first portion of an embodiment of a risk dashboard. Figure 
20B is second portion of an embodiment of a risk dashboard. 




On page 10, delete paragraph [0062] and replace with the following paragraph: 




[0062] In one embodiment, interviews 78 (shown in Figure 3) are conducted in 
accordance with a question owner's matrix. More specifically, Figures 4 A and 4B show one 
embodiment of a question owner's matrix 100. A question owner's matrix 100 is used as a 
guideline for identifying an interviewee for each sub-group of questions. The question 
owner's matrix 100 is constructed using the knowledge base within server 12. The 
knowledge base may include any information relevant to conducting an interview relating to 
compliance. The knowledge base may include, for example, information associating a group 
of questions with relevant functional knowledge, a summary of the details of program current 
status, improvement opportunities, identification of action item owners and a list of potential 
best practices. The question owner's matrix 100 lists compliance assessment areas 102. 
Compliance assessment areas 1 02 are any areas of a business that are being reviewed for 
compliance. Examples of compliance assessment areas 102 include, but are not limited to 
infrastructure, equal employment opportunity, antitrust, trade controls, ethical business 
practices and supplier relationships. The question owner's matrix 100 may also identify 
potential interviewees 104 by function for each area assessment using the knowledge base. 
Examples of interviewees 104 include, but are not limited to engineering, marketing, 
manufacturing, legal, purchasing, finance, and human resources. 

On page 13, delete paragraph [0071] and replace with the following paragraph: 
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[0071] In Figure 10, next to compliance risks 166, the specific policy numbers are 
identified. These policy numbers are also cross-referenced appropriately in Figures 9, 1 1, 
12 A, 12B, 13A and 13B. For example, Policy Number 20.4 refers to "Ethical Business 
Practices", Policy Number 20.5 refers to "Complying with the Antitrust Laws", Policy 
Number 30.5 refers to "Avoiding Conflicts of Interest", Policy Number 30.7 refers to 
"Financial Controls & Records" and Policy Number 30.13 refers to "Supplier Relationships". 
Other policies that are referenced are, Policy Numbers - 20.2 Equal Employment 
Opportunity, 20.3 Health, Safety & Environmental Protection, 20.9 Following International 
Trade Controls, 20.10 Working with Government Agencies, 20.12 Prohibition on Business 
with South Africa, 20.13 Insider Trading & Stock Tipping, and 30.9 Participation in 
Hazardous Business. Each of these policies are described in detail in internal business 
documents and also summarized in "the Spirit & the Letter of Our Commitment" 
(incorporated by reference). 

On page 15, delete paragraph [0074] and replace with the following paragraph: 

[0074] Further, a risk QFD matrix is constructed. Figures 12 A and 12B illustrate a 
risk QFD matrix 180. Risk QFD matrix 180 is constructed using information gathered in 
creating business risk model 160 (shown in Figure 10) and compliance risk requirements list 
developed in creating severity matrix 170 (shown in Figure 11). Risk QFD matrix 180 
includes, for example, the business products, processes and environment and is stored within 
server 12. 



On page 16, delete paragraph [0077] and replace with the following paragraph: 

[0077] The score is then entered into risk QFD matrix 180. Figures 13A and 13B 
illustrate one embodiment of a completed risk QFD matrix 190 including a QFD score 192. 
The QFD score 192 may be calculated by any known method. In one specific embodiment, 
server 12 is configured to calculate the QFD score as: 



On page 16, delete paragraph [0080] and replace with the following paragraph: 
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[0080] Once the immediate risks have been identified, the findings are summarized 

from risk QFD matrix 180 (shown in Figures 12A and 12B) in accordance with a risk 
prioritization matrix. The findings are summarized based on risk criteria and process strength 
controls. First, the findings are summarized in the risk prioritization matrix (RPM) using the 
standard template. Next, the risk QFD score 192 guides the placement of the risks into the 
RPM. In one specific embodiment, qualitative input from counsel is included to translate 
those results that are not as clear cut as numbers from the risk QFD score 192. These 
findings are then listed in the available space on the RPM. Once the RPM is completed, it is 
reviewed with compliance and functional leaders. The top three to five compliance 
requirements having the highest risks in the RPM are, for example, automatically identified 
to drive corrective actions. 




On page 18, delete paragraph [0090] and replace with the following paragraph: 

[0090] The process in reducing an RPN is monitored. In a specific embodiment, 
monitoring is accomplished by using policy scorecards. Figures 17A-17D are an 
embodiment of a scorecard 270. Scorecards 270 measure capabilities of specific processes. 
The scorecard formats are stored in server 1 2 (shown in Figures 1 and 2) and are part 
database 18. Scorecards 270 are business specific and in the embodiment shown in Figures 
17A-17D include information on process risk assessment 272, inherent risk assessment 274, 
import infrastructure vitality 276 and import CTQs 278. In alternative embodiments, the 
knowledge base, and thus scorecard 270 may include information relating to specific business 
guidelines defined by each business. The knowledge base also includes, but is not limited to 
information received from functional leaders, quality leaders and policy owners. In yet 
another exemplary embodiment, Inherent Risks are tabulated against Process Risks for 
organizing and categorizing various risk categories. The objective in tabulating Inherent 
Risks versus Process Risks is to strategize set of risks in yet another way for better 
management. Control limits may be set for each business risk based on the type of the risk 
and the tolerance level that the business can accept. 

On page 19, delete paragraph [0093] and replace with the following paragraph: 
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